Practical and Private (Deep) Learning without Sampling or Shuffling (2103.00039v3)

Abstract: We consider training models with differential privacy (DP) using mini-batch gradients. The existing state-of-the-art, Differentially Private Stochastic Gradient Descent (DP-SGD), requires privacy amplification by sampling or shuffling to obtain the best privacy/accuracy/computation trade-offs. Unfortunately, the precise requirements on exact sampling and shuffling can be hard to obtain in important practical scenarios, particularly federated learning (FL). We design and analyze a DP variant of Follow-The-Regularized-Leader (DP-FTRL) that compares favorably (both theoretically and empirically) to amplified DP-SGD, while allowing for much more flexible data access patterns. DP-FTRL does not use any form of privacy amplification. The code is available at https://github.com/google-research/federated/tree/master/dp_ftrl and https://github.com/google-research/DP-FTRL .

• The paper introduces DP-FTRL, a differentially private learning algorithm that bypasses sampling and shuffling while maintaining competitive privacy-utility trade-offs.
• It leverages an online learning framework with tree aggregation to add correlated noise, reducing variance compared to traditional DP-SGD methods.
• Empirical and theoretical analyses confirm that DP-FTRL performs effectively in federated settings, offering robust privacy guarantees and enhanced practicality for streaming data.

Practical and Private (Deep) Learning Without Sampling or Shuffling

The paper "Practical and Private (Deep) Learning Without Sampling or Shuffling" introduces an innovative approach to differentially private (DP) learning by developing a new method called Differentially Private Follow-the-Regularized-Leader (DP-FTRL). The existing standard, Differentially Private Stochastic Gradient Descent (DP-SGD), typically relies heavily on privacy amplification through random sampling or shuffling to achieve optimal privacy-utility trade-offs. However, these operations can pose significant difficulties, particularly in federated learning (FL) scenarios where controlling data access uniformly is challenging. DP-FTRL is presented as a solution that circumvents the necessity for such privacy amplification techniques, allowing more flexible data access patterns while maintaining competitive privacy and utility guarantees.

Core Concepts and Contributions

1. Algorithm Design:
   • The proposed DP-FTRL algorithm is rooted in online learning paradigms, specifically adapting the Follow-the-Regularized-Leader (FTRL) framework to incorporate differential privacy, without requiring sampling or shuffling.
   • DP-FTRL implements the tree aggregation technique to introduce noise in a manner that preserves differential privacy, while utilizing correlated noise, as opposed to the independent noise addition in DP-SGD. This approach avoids the amplified noise required by sampling-based DP-SGD techniques.
2. Comparison with DP-SGD:
   • DP-FTRL is shown to outperform unamplified DP-SGD across different privacy regimes. Notably, in operational scenarios with high accuracy and lower privacy requirements, DP-FTRL surpasses even the amplified versions of DP-SGD, thus highlighting its superior efficacy.
   • The paper provides a detailed theoretical assessment comparing the noise variances in the two methods, establishing that DP-FTRL can be made equivalent to DP-SGD with privacy amplification, albeit without the need for sampling setups.
3. Practicality in Federated Learning:
   • In federated learning applications, where the constraints on data access are pronounced, DP-FTRL emerges as a practical alternative due to its flexibility in handling arbitrary data sequences.
   • The privacy accounting performed in the DP-FTRL algorithm confirms its robustness under streaming and distributed data environments, making it particularly suitable for federated settings.
4. Theoretical Guarantees:
   • The proposed algorithm demonstrates strong regret bounds and high-probability population risk guarantees, further supplemented by the comprehensive analysis of composite loss settings.
5. Empirical Evaluation:
   • Empirical studies on benchmarks such as MNIST, CIFAR-10, EMNIST, and StackOverflow exemplify the practical viability of DP-FTRL. The results exhibit notable enhancements in privacy/computation trade-offs, with DP-FTRL outshining DP-SGD in several setups, particularly when privacy amplification is hard to achieve.
6. Algorithm Variants and Extensions:
   • The paper introduces practical extensions such as minibatch implementation and multiple epochs support. These variants explored within the empirical evaluation section provide insights into the deployment of DP-FTRL across varying computational constraints.

Implications and Future Directions

The formulation of DP-FTRL without reliance on sampling significantly broadens the horizon for deploying DP algorithms in environments where data access patterns are naturally non-random, as in federated learning. This methodology introduces potential avenues for future research in enhancing DP techniques in distributed systems. Moreover, continued exploration into optimizing the tree aggregation process and reducing the analytical noise variance can further strengthen the utility of DP-FTRL under diverse privacy settings.

The paper proposes addressing the fundamental question of obtaining optimal excess population risk guarantees within a single-pass algorithm, which remains an intriguing direction for subsequent studies. It also opens up discussions regarding the integration of better gradient estimates that could narrow the empirical performance gap observed at lower privacy levels compared to DP-SGD.

By grounding the theoretical constructs with practical insights and empirical validation, this research provides a comprehensive framework for realizing practical differentially private deep learning models that do not compromise on computational flexibility or model utility.